What Cyber Risk Isn’t Third-Party Risk?

4 minute read

October 2022

We thought 2021 was a record-breaking year for cyberattacks. And it was. Compared to 2020, attacks increased 50%, peaking in Q4. But each subsequent year, the numbers continue to get worse. 

The stats are alarming: businesses face a ransomware attack every 11 seconds, 300,000 new pieces of malware are created daily, and hackers breached almost 4 million records in March 2022 alone. 

Unfortunately, no organization is exempt from being targeted by threat actors, and they are using softer targets– third parties– to gain access to our systems and networks. In August, we heard about a large-scale phishing campaign targeting Microsoft email credentials, the elaborate smishing scam impacting Twilio, and to make hardware matters worse, an unauthenticated RCE vulnerability impacted 29 models of the DrayTek Vigor series of business routers

It’s safe to say there is no shortage of cyber attacks. And as businesses increase dependencies on third party tools and applications, the problems only grow. Risk management is no longer about protecting your own attack surface, but understanding the security practices and vulnerabilities of all the other companies you do business with. When you think about it, what cyber risk isn’t third party risk?

Third-Party Dependencies vs. Evaluation Gaps

According to a Forrester study, 82% of third-party threats present significant risk for organizations. COVID-19 accelerated digital transformation and third-party tool adoption, and while digital transformation has improved the efficiency and scalability of business operations, it has also increased third-party vulnerabilities and the workloads of security teams. In fact, 63% of organizations report having difficulty protecting their attack surface ensuring their cloud environment is secure, and 82% of organizations cited experiencing a data breach as a result of the digital transformation process.

As security teams know all too well, the process of gathering third-party questionnaires and assessments is cumbersome and time consuming, taking weeks or months to complete– if they are completed at all.  63% of security and risk practitioners are still relying on third-party risk assessments as their primary means of evaluating a vendor, but CyberGRX Exchange data shows 26% of assessments requested are not completed, which translates to more potential risk. 

Obviously, the more visibility you have, the better. When it comes to  third-party cyber risk management, you need to be able to see across your portfolio and into the security posture of the suppliers that you do business with, including those who don’t provide an assessment.

A Better Way of Managing Third-Party Risk

Many organizations go through the motions when it comes to evaluating the security profiles of vendors. The traditional approach to third-party risk management is a list of tasks– complete this assessment, file the responses, and you’re done. The process is not only ineffective and time consuming, but it’s incomplete– a snapshot in time. In reality, your risk profile is continually changing and evolving. 

Forrester data shows 61% of organizations are aware of and understand third-party and supplier risk, but many still fail to implement appropriate mitigation initiatives. Being aware is one thing but being proactive about your third-party risk is another. 

Lacking a defined third-party risk management strategy creates the opportunity for a breach, even if internal risk management strategies are otherwise solid and effective.

Considering 67% of companies had a third-party related cyber incident in the last year, a real-time look into your risk profile is essential to protecting your organization with confidence. If you know what the risks of any vendor in your portfolio are going to be, it shifts the conversation (and mentality) away from data collection to data analysis and actionable insights. However, with the traditional approach to managing risk– bespoke assessments and the manual processing of them– anticipating your risks and proactively taking action to reduce them is next to impossible.

The Benefits of a Risk Exchange Platform

“Risk exchange” is a powerful concept– the idea of sharing information across third-party relationships. But a TRUE risk exchange is more than just collecting and sharing data; it’s the collection of a standardized set of data. 

“True risk exchange makes best use of standardized data sets that really opens up a lot of efficiencies and insights across a portfolio,” explained Dave Stapleton, CISO of CyberGRX. “Third-parties are integral to the success of our business. We share sensitive data with them, we rely on them for critical business processes, and they enable our businesses, too. So, it’s essential to have a significant focus on third-party risk management,” said Dave. 

“The traditional approach has not produced a lot of good action, and the management of third parties has not necessarily been the strong suit of many CISOs. It’s imperative to use a true risk exchange model to unlock efficiencies and get our staff back to the work of cybersecurity versus hunting down questionnaires, assessments, and spreadsheets.” 

The objective for CISOs is to view managing risk as a collective power, identifying unacceptable risks, and developing corrective actions. “The first step is to see the data across your entire portfolio, then prioritize the risks that are most critical to your organization,” said Dave. And that’s one of the primary benefits of a risk exchange platform.

If you’d like to learn more about how to more effectively manage your third-party cyber risk, we invite you to book a demo to get an insider preview of the CyberGRX Exchange. We’ll show you your third-party blindspots, the tools you can access to evaluate the degree of risk each vendor poses to your organization, and how you can manage your third-party cyber risk program with confidence. You have nothing to lose and everything to gain– book a demo now.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.